BGP MD5: Good, Bad, Ugly?

Similar documents
Securing a Core Network

Cisco Configuring Commonly Used IP ACLs

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Bell Aliant. Business Internet Border Gateway Protocol Policy and Features Guidelines

Firewalls. Chapter 3

basic BGP in Huawei CLI

AT&T Managed IP Network Service (MIPNS) MPLS Private Network Transport Technical Configuration Guide Version 1.0

MPLS over IP-Tunnels. Mark Townsley Distinguished Engineer. 21 February 2005

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

Inter-domain Routing Basics. Border Gateway Protocol. Inter-domain Routing Basics. Inter-domain Routing Basics. Exterior routing protocols created to:

DDoS Mitigation Techniques

Cisco IOS Flexible NetFlow Technology

CS 457 Lecture 19 Global Internet - BGP. Fall 2011

Task 20.1: Configure ASBR1 Serial 0/2 to prevent DoS attacks to ASBR1 from SP1.

DATA COMMUNICATIONS MANAGEMENT. Gilbert Held INSIDE

VPN. Date: 4/15/2004 By: Heena Patel

IPV6 FRAGMENTATION. The Case For Deprecation. Ron Bonica NANOG58

MPLS RSVP-TE Auto-Bandwidth: Practical Lessons Learned

Firewall Design Principles Firewall Characteristics Types of Firewalls

APNIC elearning: BGP Attributes

Security and Access Control Lists (ACLs)

MPLS RSVP-TE Auto-Bandwidth: Practical Lessons Learned. Richard A Steenbergen <ras@gt-t.net>

Guide to TCP/IP, Third Edition. Chapter 3: Data Link and Network Layer TCP/IP Protocols

Implementing Secure Converged Wide Area Networks (ISCW)

IPv6 Security. Scott Hogg, CCIE No Eric Vyncke. Cisco Press. Cisco Press 800 East 96th Street Indianapolis, IN USA

Introduction to Routing

BGP overview BGP operations BGP messages BGP decision algorithm BGP states

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

A S B

Proxy Server, Network Address Translator, Firewall. Proxy Server

Introduction to MPLS-based VPNs

Network Security. Mobin Javed. October 5, 2011

21.4 Network Address Translation (NAT) NAT concept

Firewalls. Network Security. Firewalls Defined. Firewalls

Unicast Reverse Path Forwarding

MPLS VPN Security. Intelligent Information Network. Klaudia Bakšová Systems Engineer, Cisco Systems

Classic IOS Firewall using CBACs Cisco and/or its affiliates. All rights reserved. 1

Chapter 4. Distance Vector Routing Protocols

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Configuring Flexible NetFlow

Lab Characterizing Network Applications

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

SECURITY ADVISORY FROM PATTON ELECTRONICS

Lab Developing ACLs to Implement Firewall Rule Sets

Distance Vector Routing Protocols. Routing Protocols and Concepts Ola Lundh

GregSowell.com. Mikrotik Security

BFD. (Bidirectional Forwarding Detection) Does it work and is it worth it? Tom Scholl, AT&T Labs NANOG 45

Track 2 Workshop PacNOG 7 American Samoa. Firewalling and NAT

Security vulnerabilities in the Internet and possible solutions

Intro to Firewalls. Summary

Examination. IP routning på Internet och andra sammansatta nät, DD2491 IP routing in the Internet and other complex networks, DD2491

BGP FORGOTTEN BUT USEFUL FEATURES. Piotr Wojciechowski (CCIE #25543)

Advanced Transportation Management Systems

Firewall Implementation

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

LAB II: Securing The Data Path and Routing Infrastructure

Stateful Firewalls. Hank and Foo

Network layer: Overview. Network layer functions IP Routing and forwarding

Tutorial: Options for Blackhole and Discard Routing. Joseph M. Soricelli Wayne Gustavus NANOG 32, Reston, Virginia

Firewalls. Ahmad Almulhem March 10, 2012

Amazon Virtual Private Cloud. Network Administrator Guide API Version

The Cisco IOS Firewall feature set is supported on the following platforms: Cisco 2600 series Cisco 3600 series

Configuring SNMP and using the NetFlow MIB to Monitor NetFlow Data

Privacy and Security in MPLS Networks

White Paper. Cisco MPLS based VPNs: Equivalent to the security of Frame Relay and ATM. March 30, 2001

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

MPLS Layer 3 and Layer 2 VPNs over an IP only Core. Rahul Aggarwal Juniper Networks. rahul@juniper.net

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

A Model Design of Network Security for Private and Public Data Transmission

E : Internet Routing

Linux Network Security

Border Gateway Protocol (BGP)

Implementing and Managing Security for Network Communications

Lecture 23: Firewalls

Netflow Overview. PacNOG 6 Nadi, Fiji

My FreeScan Vulnerabilities Report

OLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

Amazon Virtual Private Cloud. Network Administrator Guide API Version

BGP Basics. BGP Uses TCP 179 ibgp - BGP Peers in the same AS ebgp - BGP Peers in different AS's Private BGP ASN. BGP Router Processes

MPLS VPN Security BRKSEC-2145

Why Is MPLS VPN Security Important?

Introducing Basic MPLS Concepts

Security Technology White Paper

How To Set Up Bgg On A Network With A Network On A Pb Or Pb On A Pc Or Ipa On A Bg On Pc Or Pv On A Ipa (Netb) On A Router On A 2

Policy Based Forwarding

SECURITY IN AN IPv6 WORLD MYTH & REALITY. SANOG XXIII Thimphu, Bhutan 14 January 2014 Chris Grundemann

Firewall-on-Demand. GRNET s approach to advanced network security services management via bgp flow-spec and NETCONF. Leonidas Poulopoulos

IPV6 流 量 分 析 探 讨 北 京 大 学 计 算 中 心 周 昌 令

Frequent Denial of Service Attacks

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

MPLS VPN Security Best Practice Guidelines

Solution of Exercise Sheet 5

IPv6 over IPv4/MPLS Networks: The 6PE approach

Firewall Design Principles

Transcription:

BGP MD5: Good, Bad, Ugly? NANOG 39 February 06, 2007 Tom Scholl, AT&T Labs

Feb 06, 2007 BGP MD5 Good, Bad, Ugly? Page 2

BGP MD5 What is it solving? A method to authenticate the identity of the remote BGP neighbor. Prevents a session from being hijacked/severed Prevents a misconfiguration from turning up a session with an unauthorized party Well-advertised workaround to TCP/IP issue reported two years ago Feb 06, 2007 BGP MD5 Good, Bad, Ugly? Page 3

Background: BGP MD5 (RFC 2385) Not a function of BGP 18-20 bytes of data in the TCP options field Calculated based upon: TCP pseudo-header (src ip, dst ip, ip protocol, segment length) TCP header (excluding options) TCP segment data (if any) The key/password itself Feb 06, 2007 BGP MD5 Good, Bad, Ugly? Page 4

But what about that vulnerability?!?!1111 One of the issues was that many platforms were not validating ICMP messages such as unreachable messages An attacker could transmit spoofed ICMP error messages to sever a BGP session Another issue was that someone could attempt to brute force by transmitting RST's to a wide range of ports and sequence numbers MD5 was overwhelmingly suggested as a workaround method to prevent this type of attack without upgrading code People knew something was up when a large portion of the peering community started requesting MD5 on BGP sessions Feb 06, 2007 BGP MD5 Good, Bad, Ugly? Page 5

BGP MD5 is not easy for everyone Some organizations provisioning tools required upgrading and human intervention to enable MD5 The storing of the password in a database or CRM tool presents its own security issues How do you securely transmit the clear text password? How are you generating the password (using some java interface on some public IT website?) Feb 06, 2007 BGP MD5 Good, Bad, Ugly? Page 6

How to properly exchange MD5 keys Pig Latin + Cone of Silence Feb 06, 2007 BGP MD5 Good, Bad, Ugly? Page 7

What is the real impact of BGP MD5? Examining a MD5 hash in the TCP header adds additional work to a router. What if an attacker can spoof with incorrect MD5 hashes to make your router work a bit more? Someone shouldn't be spoofing in the first place if antispoofing filters were applied at the perimeter. However...this is not always feasible (think ebgp customers, shared LAN Internet exchanges) Perhaps the widespread use of BGP MD5 really is not the only or best solution going forward Feb 06, 2007 BGP MD5 Good, Bad, Ugly? Page 8

What other options are there to protect BGP sessions? BGP TTL security check (GTSM) BGP session over a separate protected interface (dot1q, dlci, tunnel, pseudowire) ebgp multihop Anti-spoofing ACLs Feb 06, 2007 BGP MD5 Good, Bad, Ugly? Page 9

What was tested? Platforms examined: Cisco GSR (GRP-B) running 12.0(27)S Cisco GSR (PRP-1) running 12.0(27)S Cisco GSR (PRP-2) running 12.0(27)S Juniper T320 (RE-2000) running JunOS 8.x Juniper M40e (RE-3.0) running JunOS 8.x Cisco 6500 (Sup720) running 12.2(17)S Feb 06, 2007 BGP MD5 Good, Bad, Ugly? Page 10

What sorts of attacks ebgp session with MD5 configured Sending incorrect MD5 hash Sending no MD5 ebgp session with MD5 configured and GTSM Sending bad MD5 Sending no MD5 Feb 06, 2007 BGP MD5 Good, Bad, Ugly? Page 11

Testing Results Some platforms log BGP MD5 related errors (invalid hash, no hash). This results in additional CPU be spent on logging processes. This can be even worse if you are logging to the console. Some platforms that can not do the TTL check in hardware exhibits worse or the same performance hit as without TTL checking enabled. Example: Cisco GSR GRP-B resulted in 50% increase in CPU utilization at low (1,000pps) speed attacks. Some platforms examine the MD5 hash before TTL check and log accordingly. Feb 06, 2007 BGP MD5 Good, Bad, Ugly? Page 12

Testing Results (cont'd) The actual difference between packets with a signed MD5 hash versus those without was very minimal on most platforms. Most modern route processors showed a difference of less than 10% of CPU utilization. Using MD5 as an attack vector is useless; packets-persecond (signed or unsigned) will impact you the most. The use of TTL checking made no significant difference either (when checked 'in software'). Feb 06, 2007 BGP MD5 Good, Bad, Ugly? Page 13

What are the impacts of the alternatives? TTL checking is great, if done in hardware (not being performed in the route processor CPU) Cisco CRS-1 can Juniper M120, M320, T320, T640 can All other Cisco devices seem incapable All other Juniper devices seem incapable (If the above is not accurate, please let me know) Feb 06, 2007 BGP MD5 Good, Bad, Ugly? Page 14

What about alternative methods to peer BGP? ebgp Multihop Security through Obscurity No failure detection (yet) Separate Interface / Tunnel for BGP traffic Additional complexity BGP next-hop's must be re-written Feb 06, 2007 BGP MD5 Good, Bad, Ugly? Page 15

Looking at the big picture The real problem is not MD5 or IP TTL taxing the CPU, the issue is why are those packets touching your routeprocessor in the first place. Perhaps we should try to fix that problem first. Can networks mutually agree to not allow their customers to transmit to a peers side of a BGP session? Not easy to do some egress ACLs permit packets sourced from the route processor, some do not. Do not advertise peer point-to-point interfaces into your IGP/iBGP? Feb 06, 2007 BGP MD5 Good, Bad, Ugly? Page 16

Looking at the big picture (cont'd) Should well-known Internet exchange fabric IP address space be treated and protected as your own infrastructure? Drop any packets from customers destined to exchange space. Still does not fix issues with private peering circuits or customer ebgp sessions. How about do not advertise IXP space within your IGP? Do not even let your customers route to it in the first place. Probably difficult, since people advertise IXP space in BGP frequently today Feb 06, 2007 BGP MD5 Good, Bad, Ugly? Page 17

So, what can you do? Juniper (M120, M320, T320, T640) Ingress ACL that matches on IP TTL value & ebgp source/destination. Cisco (CRS-1) Other vendors? Use caution with route processor policers that may result in you dropping good traffic Software CoPP may actually make things worse Feb 06, 2007 BGP MD5 Good, Bad, Ugly? Page 18

Thank You Tom Scholl tom.scholl@att.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information